The United States' Department of Health and Human Services has proposed amending laws around non-monetary donations in a bid to help doctors protect healthcare services from cyber-attacks.
The DHHS published proposed rules to update the regulatory Anti-Kickback Statute (AKS) safe harbors as well as exceptions to the Physician Self-Referral (PSR) Law, commonly known as the Stark Law, on October 17.
Among the proposed changes is a new safe harbor/exception that would make it legal for entities to make non-monetary donations of cybersecurity technology and related services to physicians.
Certain criteria must be met when making a donation, but, in general, the services that the safe harbor/exception would protect include risk assessments, installation of cybersecurity software, and cybersecurity or business continuity as a service.
As for technology, the changes would allow for the donation of software that can assist with malware prevention, business continuity, and encryption, but would not permit the donation of hardware.
Powering the proposed changes is the idea that making cybersecurity more accessible to all healthcare providers, regardless of their financial situation, will better protect patients and the healthcare industry as a whole in the face of a rising number of cyber-attacks.
The HHS Office of Inspector General (OIG), which published the AKS proposed rule, wrote: "We believe this proposed safe harbor could help improve the cybersecurity posture of the healthcare industry by removing a real or perceived barrier that would allow parties to address the growing threat of cyberattacks that infiltrate data systems and corrupt or prevent access to health records and other information essential to the delivery of healthcare."
OIG noted that the increase in interoperability and data sharing in the healthcare industry means that threat actors can launch large-scale attacks on multiple services by exploiting a single healthcare provider with poor cybersecurity.
OIG wrote: "The healthcare industry and the technology used to deliver healthcare have been described as an interconnected 'ecosystem' where the 'weakest link' in the system can compromise the entire system.
"Given the prevalence of protected electronic health information and other personally identifiable information stored within these systems, as well as the processing and transmission of this information and other critical information within a given provider’s systems as well as across the healthcare industry, the risks associated with cyberattacks may be most immediate for the 'weak links' but have implications for the entire healthcare system."